From 1c4001bd082635fc07540eed8a07570762f6f0cc Mon Sep 17 00:00:00 2001 From: jasquat Date: Thu, 5 Dec 2024 10:38:12 -0500 Subject: [PATCH 1/6] upload trivy file only if it has been created w/ burnettk --- .github/workflows/build_docker_images.yml | 36 +++++++++++++++-------- 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build_docker_images.yml b/.github/workflows/build_docker_images.yml index cd8dbd55f..e23df7dfa 100644 --- a/.github/workflows/build_docker_images.yml +++ b/.github/workflows/build_docker_images.yml @@ -31,12 +31,14 @@ on: branches: - main - keycloak-realm-with-groups + - fail-fast-off tags: [v*] jobs: create_docker_images: runs-on: ubuntu-latest strategy: + # fail-fast: false matrix: include: - image_name: sartography/spiffworkflow-frontend @@ -99,34 +101,44 @@ jobs: uses: docker/build-push-action@v6.10.0 with: context: ${{ matrix.context }} - push: false # Don't push yet - load: true # Load image to local Docker daemon + push: false # Don't push yet + load: true # Load image to local Docker daemon tags: ${{ steps.full_tag.outputs.full_tag }} labels: ${{ steps.meta.outputs.labels }} # While we ultimately push multi-arch images (amd64/arm64) to registries, we don't want to do that before we scan for vulns. - # The Action can only load a single arch image into the local dockerd at a time, so we only build and test one arch here. + # The Action can only load a single arch image into the local dockerd at a time, so we only build and test one arch here. # It's pretty likely that any vuln in amd64 is also in arm64, and vice-versa, so the trade-off seems reasonable. - platforms: linux/amd64 + platforms: linux/amd64 cache-from: type=gha cache-to: type=gha,mode=max - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.19.0 with: - image-ref: '${{ steps.full_tag.outputs.full_tag }}' - scan-type: 'image' + image-ref: "${{ steps.full_tag.outputs.full_tag }}" + scan-type: "image" hide-progress: false - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - exit-code: 1 # Fail the workflow if critical or high vulnerabilities are found + format: "sarif" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + exit-code: 1 # Fail the workflow if critical or high vulnerabilities are found timeout: 15m0s ignore-unfixed: true + - name: Check if Trivy results exist + if: always() + # trivy will fail if vulnerabilities are found but we need to upload them anyway + run: | + if [ -f "trivy-results.sarif" ]; then + echo "UPLOAD_TRIVY_RESULTS=true" >> "$GITHUB_ENV" + else + echo "Trivy results file not found. Skipping upload." + echo "UPLOAD_TRIVY_RESULTS=false" >> "$GITHUB_ENV" + fi - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 - if: always() # Run even if the Trivy scan fails + if: always() && env.UPLOAD_TRIVY_RESULTS == 'true' with: - sarif_file: 'trivy-results.sarif' + sarif_file: "trivy-results.sarif" - name: Push Docker image uses: docker/build-push-action@v6.10.0 From 354401b793a081645ad3dae9e100a26aa9bb225f Mon Sep 17 00:00:00 2001 From: jasquat Date: Thu, 5 Dec 2024 10:48:00 -0500 Subject: [PATCH 2/6] fail only for critical and do not fail fast so we can get the scans for the other images as well w/ burnettk --- .github/workflows/build_docker_images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_docker_images.yml b/.github/workflows/build_docker_images.yml index e23df7dfa..d7a18593c 100644 --- a/.github/workflows/build_docker_images.yml +++ b/.github/workflows/build_docker_images.yml @@ -38,7 +38,7 @@ jobs: create_docker_images: runs-on: ubuntu-latest strategy: - # fail-fast: false + fail-fast: false matrix: include: - image_name: sartography/spiffworkflow-frontend @@ -120,7 +120,7 @@ jobs: hide-progress: false format: "sarif" output: "trivy-results.sarif" - severity: "CRITICAL,HIGH" + severity: "CRITICAL" exit-code: 1 # Fail the workflow if critical or high vulnerabilities are found timeout: 15m0s ignore-unfixed: true From 94e9b225379408059699887bb7a7405cc9efc5a7 Mon Sep 17 00:00:00 2001 From: jasquat Date: Thu, 5 Dec 2024 11:01:40 -0500 Subject: [PATCH 3/6] update apt-get packages for connector proxy to fix trivy w/ burnettk --- connector-proxy-demo/Dockerfile | 2 +- newDockerfile | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 newDockerfile diff --git a/connector-proxy-demo/Dockerfile b/connector-proxy-demo/Dockerfile index 9442236a2..29fb53d4b 100644 --- a/connector-proxy-demo/Dockerfile +++ b/connector-proxy-demo/Dockerfile @@ -22,7 +22,7 @@ FROM base AS deployment # vim ftw RUN apt-get update \ && apt-get clean -y \ - && apt-get install -y -q git-core curl procps gunicorn3 default-mysql-client vim-tiny \ + && apt-get install -y -q git-core curl procps gunicorn3 default-mysql-client vim-tiny libkrb5support0 libexpat1 \ && rm -rf /var/lib/apt/lists/* RUN pip install poetry==1.6.1 diff --git a/newDockerfile b/newDockerfile new file mode 100644 index 000000000..b8630674b --- /dev/null +++ b/newDockerfile @@ -0,0 +1,6 @@ +FROM python:3.11.6-slim-bookworm AS base + +RUN apt-get update +RUN apt-get install -q -y git-core curl procps gunicorn3 default-mysql-client vim-tiny +RUN apt-get install -q -y libkrb5support0 libexpat1 + From ab1a1fff52b58970c2f482b049d50efa22d4a052 Mon Sep 17 00:00:00 2001 From: jasquat Date: Thu, 5 Dec 2024 11:15:24 -0500 Subject: [PATCH 4/6] attempt to fix frontend and backend as well w/ burnettk --- spiffworkflow-backend/Dockerfile | 2 +- spiffworkflow-frontend/Dockerfile | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/spiffworkflow-backend/Dockerfile b/spiffworkflow-backend/Dockerfile index a62b022b2..a02c62d48 100644 --- a/spiffworkflow-backend/Dockerfile +++ b/spiffworkflow-backend/Dockerfile @@ -24,7 +24,7 @@ FROM base AS deployment # libpq5 in order to be able to use postgres at runtime RUN apt-get update \ && apt-get clean -y \ - && apt-get install -y -q git-core curl procps gunicorn3 default-mysql-client vim-tiny jq libpq5 \ + && apt-get install -y -q git-core curl procps gunicorn3 default-mysql-client vim-tiny jq libpq5 libkrb5support0 libexpat1 \ && rm -rf /var/lib/apt/lists/* # keep pip up to date diff --git a/spiffworkflow-frontend/Dockerfile b/spiffworkflow-frontend/Dockerfile index 2b5668f19..a8fb5b6d1 100644 --- a/spiffworkflow-frontend/Dockerfile +++ b/spiffworkflow-frontend/Dockerfile @@ -14,6 +14,8 @@ RUN apt-get update \ curl \ procps \ vim-tiny \ + libkrb5support0 \ + libexpat1 \ && rm -rf /var/lib/apt/lists/* # this matches total memory on spiffworkflow-demo @@ -47,6 +49,13 @@ RUN ./bin/build # Use nginx as the base image FROM nginx:1.25.4-bookworm +RUN apt-get update \ + && apt-get clean -y \ + && apt-get install -y -q \ + libkrb5support0 \ + libexpat1 \ + && rm -rf /var/lib/apt/lists/* + # Remove default nginx configuration RUN rm -rf /etc/nginx/conf.d/* From 5315c341b0868ae4efa5d68a4edc925edb4cdf76 Mon Sep 17 00:00:00 2001 From: jasquat Date: Thu, 5 Dec 2024 11:17:24 -0500 Subject: [PATCH 5/6] also update libaom w/ burnettk --- spiffworkflow-frontend/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/spiffworkflow-frontend/Dockerfile b/spiffworkflow-frontend/Dockerfile index a8fb5b6d1..3a84c0cf4 100644 --- a/spiffworkflow-frontend/Dockerfile +++ b/spiffworkflow-frontend/Dockerfile @@ -54,6 +54,7 @@ RUN apt-get update \ && apt-get install -y -q \ libkrb5support0 \ libexpat1 \ + libaom3 \ && rm -rf /var/lib/apt/lists/* # Remove default nginx configuration From 642796640b725084df65a1df8c09f769f5c74d3c Mon Sep 17 00:00:00 2001 From: jasquat Date: Thu, 5 Dec 2024 11:19:36 -0500 Subject: [PATCH 6/6] remove test dockerfile w/ burnettk --- newDockerfile | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 newDockerfile diff --git a/newDockerfile b/newDockerfile deleted file mode 100644 index b8630674b..000000000 --- a/newDockerfile +++ /dev/null @@ -1,6 +0,0 @@ -FROM python:3.11.6-slim-bookworm AS base - -RUN apt-get update -RUN apt-get install -q -y git-core curl procps gunicorn3 default-mysql-client vim-tiny -RUN apt-get install -q -y libkrb5support0 libexpat1 -